b'IMPROVEMENTS NEEDED IN MANAGEMENT,\n    OPERATIONAL, AND TECHNICAL\n   CONTROLS FOR PBS\xe2\x80\x99 STAR SYSTEM\n   REPORT NUMBER A040159/P/T/R05006\n\n            March 31, 2005\n\x0c                             IMPROVEMENTS NEEDED IN MANAGEMENT,\n                                  OPERATIONAL, AND TECHNICAL\n                                 CONTROLS FOR PBS\xe2\x80\x99 STAR SYSTEM\n                                REPORT NUMBER A040159/P/T/R05006\n\n                                                  TABLE OF CONTENTS\n                                                                                                                               PAGE\n\nEXECUTIVE SUMMARY.............................................................................................. i\n\n    Purpose ........................................................................................................................ i\n\n    Background ................................................................................................................. i\n\n    Results-in-Brief ........................................................................................................... i\n\n    Recommendations ....................................................................................................... ii\n\n    Management Comments.............................................................................................. ii\n\nINTRODUCTION ........................................................................................................... 1\n\n    Objectives, Scope, and Methodology.......................................................................... 2\n\nRESULTS OF AUDIT..................................................................................................... 4\n\n    Careful Assessment of STAR Functionality and Performance Measures\n    Is Essential in Light of Business Process Changes ..................................................... 4\n\n        System Functionality Changes Have Not Been Consistent with a\n        Target Architecture................................................................................................. 4\n\n        Performance Goals Are Not Yet Specific to STAR and Have Not\n        Been Consistently Monitored ................................................................................. 5\n\n        Data Dictionary Is Not Comprehensive Enough to Adequately\n        Describe Information Supporting PBS Business Processes ................................... 6\n\n    System Risk Must Be Managed with Appropriate Security Controls......................... 8\n\n        Background Checks Have Not Been Completed for Contractors\n        Supporting STAR ................................................................................................... 8\n\n        Audit Trails Lack Sufficient Detail ........................................................................ 9\n\n        Transmission of Sensitive Data May Not Be Adequately Protected...................... 9\n\x0c       Key Components of System Security Have Not Been Comprehensively\n       Addressed With Certification and Accreditation of Controls ................................ 10\n\n   Recommendations ....................................................................................................... 10\n\n   Management Comments.............................................................................................. 11\n\n   Internal Controls.......................................................................................................... 12\n\n                                                        APPENDICES\n\nPBS RESPONSE TO DRAFT REPORT......................................................................... A-1\n\nREPORT DISTRIBUTION ............................................................................................. B-1\n\x0c                      IMPROVEMENTS NEEDED IN MANAGEMENT,\n                           OPERATIONAL, AND TECHNICAL\n                          CONTROLS FOR PBS\xe2\x80\x99 STAR SYSTEM\n                         REPORT NUMBER A040159/P/T/R05006\n\n                                   EXECUTIVE SUMMARY\n\nPurpose\n\nThe General Services Administration\xe2\x80\x99s (GSA) Public Buildings Service (PBS) is responsible for\nthe oversight of an inventory of more than 8,900 buildings and 340 million square feet of office\nand warehouse space. The System for Tracking and Administering Real Property (STAR) is\nPBS\xe2\x80\x99 mission critical information technology (IT) investment managed by the Office of the PBS\nChief Information Officer for providing realty specialists and portfolio managers the capability\nto input and update business data. PBS relies heavily on STAR as the primary tool used to track\nand manage the government\'s real property assets and to store inventory data, billing data,\nbuilding data, customer data, and lease information. STAR manages aspects of real property\nspace management, including identification of all building space and monthly billing for all\nproperty to its client Federal agencies. The objective of our review of STAR was to assess how\nthe system is meeting management and user requirements, and the effectiveness of system\nsecurity controls.\n\nBackground\n\nFor a number of years, PBS experienced problems with its real property management\ninformation systems. Functions were limited, the same data had to be input multiple times into\nseveral systems, old software was unreliable and difficult to maintain, and PBS experienced\nproblems with data accuracy. PBS conducted extensive market research and analysis beginning\nMarch 1994 to evaluate various alternative real estate information systems. STAR was deployed\nin 1997 to help PBS become more effective at managing government properties and related\nannual rent billings. Initially, the system was primarily used by PBS realty and revenue\nspecialists in the 11 GSA regions. STAR has since been expanded to support the security\nfunction in the Federal Protective Service mega-centers, to bill other Federal agencies for rent, to\nprovide management information for GSA and other Federal managers, and to exchange\ninformation with other systems through the PBS Data Gateway System.\n\nResults-in-Brief\n\nSTAR was developed to provide improved functional capabilities for many of PBS\xe2\x80\x99 business\nprocesses. Management, operational, and technical controls for the system, however, need to be\nstrengthened to better provide necessary functional capabilities in support of PBS\xe2\x80\x99 business\nprocesses. Recent organizational, business, and system changes have challenged PBS\xe2\x80\x99 ability to\nmanage STAR efficiently and effectively, and in a manner consistent with enterprise architecture\ngoals for information technology. While PBS has taken steps to improve the collection and\nreporting of performance measures through the STAR business case, additional steps are needed\nto establish and achieve system-specific measures and goals for long-term efficiency and\neffectiveness. Further, PBS has not yet completed a comprehensive data dictionary for STAR\n\n\n                                                 i\n\x0cthat can be leveraged across the organization to effectively support business functions. System\nsecurity weaknesses requiring action include the need to: (1) complete background checks for\ncontractors supporting STAR prior to providing them with access to the system and its resources;\n(2) capture additional detail with audit trails to support investigations should normal system\noperations cease; (3) reassess whether additional protection for system interfaces is warranted;\nand (4) develop a more comprehensive approach to monitoring risks with the system. Taking\nsteps to strengthen management, operational, and technical controls for STAR will better enable\nPBS to ensure long-term success for this mission-critical system by providing the information\nneeded to effectively manage its real property assets.\n\nRecommendations\n\nIn order to strengthen managerial, operational and technical controls for the STAR system, we\nrecommend that the Commissioner, Public Buildings Service, work with the PBS-CIO to ensure\nthat:\n\n1. STAR provides necessary business line management information through:\n   a. System enhancements, which are consistent with enterprise architecture goals.\n   b. System-specific performance measures for identifying and monitoring progress with\n      meeting established goals and system requirements.\n   c. A complete system data dictionary designed to capture the comprehensive nature of\n      information in STAR and more effectively leverage the system across the organization.\n\n2. Adequate security controls are in place to manage risks with STAR by:\n   a. Completing necessary background checks for contractor staff as required by the GSA IT\n      Security Policy and implementing compensating controls, as necessary, until this process\n      is completed.\n   b. Enhancing the system\xe2\x80\x99s audit trails to provide an effective control for capturing a\n      snapshot of information at any given time to better enable system monitoring and\n      recovery.\n   c. Reassessing the risk of not encrypting the transmission of sensitive STAR data.\n   d. Updating the system risk assessment, security plan, and business continuity plan to more\n      comprehensively address potential system threats and vulnerabilities.\n\nManagement Comments\n\nIn his March 31, 2005 response to our draft report, which is included in its entirety as Appendix\nA, the PBS Commissioner generally concurred with the findings and recommendations presented\nin our report. Written comments provided by the Commissioner explain the basis for current\nSTAR configurations and processes, and outline actions planned in response to the audit\nrecommendations. The response identified compensating controls that have been implemented\nin lieu of having background checks completed. However, the identified non-disclosure\nagreements, GSA Rules of Behavior, and on-line security courses are not compensating access\ncontrols. Procedures cited in the Commissioner\xe2\x80\x99s response define responsibilities but do not\nprevent access by individuals or monitor their use of STAR or its data. We therefore reaffirm the\n\n\n\n\n                                               ii\n\x0cneed to ensure compensating controls are established until background checks have been\ncompleted.\n\n\n\n\n                                          iii\n\x0c                       IMPROVEMENTS NEEDED IN MANAGEMENT,\n                            OPERATIONAL, AND TECHNICAL\n                           CONTROLS FOR PBS\xe2\x80\x99 STAR SYSTEM\n                          REPORT NUMBER A040159/P/T/R05006\n\n                                        INTRODUCTION\n\nThe Public Buildings Service (PBS) implemented the System for Tracking and Administering\nReal Property (STAR) in 1997 to provide a means to track and manage the government\'s real\nproperty assets and to store inventory data, billing data, building data, customer data, and lease\ninformation. As such, STAR is a mission-critical system managed by the Office of the PBS\nChief Information Officer that supports management aspects of real property space management,\nincluding identification of all building space, daily management of 22,000 assignments, and\nmonthly billing for all property to its client Federal agencies. PBS\' real property inventory\nconsists of over 8,900 buildings and 340 million square feet of office and warehouse space for\nwhich Federal agencies pay PBS approximately $6 billion per year in rent. STAR provides PBS\nrealty specialists and portfolio managers the capability to input and update business data and\ndirect access to business data supporting the management of space and customer billing records.\nBeyond initial capabilities, STAR has been expanded to support the security function in the FPS\nmega-centers, to bill other Federal agencies for rent, to provide management information for\nGSA and other Federal managers, and to exchange data with other systems through the PBS Data\nGateway System.\n\nThe Office of Inspector General (OIG) Information Technology (IT) Audit Office issued a report\non STAR in March 20001. At that time, we found that: (1) STAR modifications were still\nunderway to respond to numerous user concerns, resolve software problems, and provide\nadditional key capabilities; (2) PBS remained heavily dependent upon the sole-source contractor\nfor day-to-day operation of STAR and implementation of technical solutions; and (3) PBS\nexperienced difficulty in implementing and maintaining a project management structure and\nsystem development methodology to ensure the proper development of system capabilities and\nimplementation of system control processes. We also reported that STAR management and\ncontrol weaknesses needed to be resolved to complete systems development and migrate STAR\nto a stable operation and maintenance system life cycle phase.\n\nIn October 2002, our office also issued a report on the PBS Systems Development Center\n(SDC)2, which included an assessment of STAR management through the SDC. PBS had\nattempted to address ongoing difficulties with developing and managing efficient and effective\nIT systems by implementing the SDC. The SDC approach did not successfully meet PBS\xe2\x80\x99\nproject management goals for its systems. PBS established an Application Review Panel to\nreview and monitor projects, including STAR, for development, enhancement, and\nimplementation as well as recommend project changes to reflect PBS business processes.\n\n\n1\n  PBS Needs to Complete STAR Development and Implement Management and System Controls to Fully Realize\nImproved Capabilities, Report Number A995010/P/T/R00013, dated March 31, 2000.\n2\n  The Systems Development Center Has Not Successfully Met PBS Project Management Goals, Report Number:\nA020043/P/T/R03001, dated October 31, 2002.\n\n\n                                                  1\n\x0cObjectives, Scope, and Methodology\n\nThe objective of our review was to assess how well the STAR system is meeting management\nand user requirements, and the effectiveness of system security controls. Our review focused on\nSTAR project management, security, quality assurance, testing, and system controls. We\nanalyzed key documentation, including the Security Plan, Business Continuity Plan, Risk\nAssessment, security testing and evaluation reports, certification and accreditation\ndocumentation, results of vulnerability scanning, and PBS enterprise architecture documentation.\nWe met with a wide range of PBS officials, contract personnel, and STAR users, including the\nSTAR Program and Project Managers; security officials; contractors responsible for system\ndevelopment, database administration, and computer operations; and persons responsible for data\naccuracy. We also reviewed the STAR Master Plan dated October 2002, Post-Implementation\nReview dated August 2001, and Business Case for fiscal years (FY) 2005 and 2006. STAR was\nconcurrently reviewed and incorporated in the FY 2004 review of GSA\xe2\x80\x99s IT Security Program\nrequired by the Federal Information Security Management Act (FISMA). Our office recently\nissued two separate reports on STAR security. FY 2004 Office of Inspector General Review of\nGSA\'s Information Technology Security Program, Report Number: A040179/O/T/F04015, dated\nSeptember 27, 2004, provided the results of our FISMA review, which included our assessment\nof security controls for nine systems, including STAR, across GSA\xe2\x80\x99s Services, Staff Offices, and\nRegions. Detailed results for our FISMA control tests for STAR were reported subsequently in\nFY 2004 Office of Inspector General Information Security Review of the System for Tracking\nand Administering Real Property, Report Number: A040179-10/O/T/F05014, dated January 5,\n2005. With our FISMA review, we have previously provided specific results of our technical\nvulnerability scanning and detailed findings on security controls for STAR to the GSA Office of\nthe Chief Information Officer (CIO) and to PBS management.\n\nTo assess managerial, operational, and technical controls for the system, we relied on: (1)\napplicable statutes, regulations, policies, and operating procedures such as: the GSA Information\nTechnology (IT) Security Policy, CIO P 2100.1B, November 2004; the Government\nPerformance Results Act of 1993; Federal Information Processing Standards (FIPS) Publication\n199, Standards for Security Categorization of Federal Information and Information Systems,\nDecember 2003; FIPS Publication 74, Guidelines for Implementing and Using the NBS Data\nEncryption Standard, April 1981; the CIO Council\xe2\x80\x99s A Practical Guide to the Federal Enterprise\nArchitecture, Version 1.0, February 2001; Federal Information Systems Control Audit Manual\n(FISCAM), January 1999; Office of Management and Budget (OMB) Circular A-130, Appendix\nIII, Security of Federal Automated Information Resources, November 28, 2000; OMB Circular\nA-11, Preparation, Submission, and Execution of the Budget, July 2004; Guide for Developing\nSecurity Plans for Information Technology Systems, National Institute of Standards and\nTechnology (NIST) Special Publication 800-18, December 1998; Risk Management Guide for\nInformation Technology Systems, NIST Special Publication 800-30, January 2002; Contingency\nPlanning Guide for Information Technology Systems, NIST Special Publication 800-34, June\n2002; OMB FY 2004 Reporting Instructions for the Federal Information Security Management\nAct; and the GSA CIO\xe2\x80\x99s IT procedural guides on password generation and protection, security\nincident handling, conducting risk assessments, developing contingency and configuration\nmanagement plans, security test and evaluation, access control, auditing and monitoring, and\n\n\n\n                                               2\n\x0ccertification and accreditation. We also referenced the Government Accountability Office\xe2\x80\x99s\nStandards for Internal Control in the Federal Government, Property Management Systems\nRequirements - Checklist for Reviewing Systems Under the Federal Financial Management\nImprovement Act, December 2001; Executive Guide, Measuring Performance and\nDemonstrating Results for Information Technology Investments, March 1998; and Assessing\nReliability of Computer-Processed Data, October 2002; as well as the GSA Financial Statement\nAudit, PricewaterhouseCoopers, 2004.\n\nWe performed our audit work in GSA\xe2\x80\x99s Central Office, the National Capital Region (NCR), and\ncontacted users in the New England Region (Region 1), Northeast and Caribbean Region\n(Region 2), the Mid-Atlantic Region (Region 3), Southeast Sunbelt Region (Region 4), and the\nHeartland Region (Region 6). We performed our audit work between March and December\n2004, in accordance with generally accepted government auditing standards. The scope of our\naudit did not include a detailed analysis of the data within STAR or the accuracy of that data.\nOur audit scope also did not include a review of PBS\xe2\x80\x99 contractual practices used in procuring\nSTAR or the overall acquisition process.\n\n\n\n\n                                              3\n\x0c                                    RESULTS OF AUDIT\n\nThe System for Tracking and Administering Real Property (STAR) was developed to provide\nimproved functional capabilities for many of the Public Buildings Service\xe2\x80\x99s (PBS) business\nprocesses. Management, operational, and technical controls for the system, however, need to be\nstrengthened to better provide necessary functional capabilities in support of PBS\xe2\x80\x99 business\nprocesses. Recent organizational, business, and system changes have challenged PBS\xe2\x80\x99 ability to\nmanage STAR efficiently and effectively, and in a manner consistent with enterprise architecture\ngoals for information technology (IT). While PBS has taken steps to improve the collection and\nreporting of performance measures through the STAR business case, additional steps are needed\nto establish and achieve system-specific measures and goals for long-term efficiency and\neffectiveness. Further, PBS has not yet completed a comprehensive data dictionary for STAR\nthat can be leveraged across the organization to effectively support business functions. System\nsecurity weaknesses requiring action include the need to: (1) complete background checks for\ncontractors supporting STAR prior to providing them with access to the system and its resources;\n(2) capture additional detail with audit trails to support investigations should normal system\noperations cease; (3) reassess whether additional protection for system interfaces is warranted;\nand (4) develop a more comprehensive approach to monitoring risks with the system. Taking\nsteps to strengthen management, operational, and technical controls for STAR will better enable\nPBS to ensure long-term success for this mission-critical system by providing the information\nneeded to effectively manage its real property assets.\n\nCareful Assessment of STAR Functionality and Performance Measures Is Essential in\nLight of Business Process Changes\n\nSince the STAR system was implemented in 1997, PBS has undergone changes in key business\nprocesses, which have resulted in the need to change the system\xe2\x80\x99s functionality. Modifications\nto STAR have not been guided by an enterprise architecture, or an IT road map for PBS, and the\nSTAR business case was only recently modified to more adequately collect and report on\nestablished performance improvement goals. Consequently, adequate performance metric data\nfor STAR is needed for PBS to better direct the system towards target performance\nimprovements. To determine whether STAR system investments are meeting business and\nsystem requirements, system-specific performance measures must be first identified and then\nmonitored. Further, the data dictionary for STAR is not comprehensive enough to adequately\ndescribe system data or information provided by the system in support of PBS business\nprocesses. A more thorough assessment of STAR requirements and its performance is needed to\nassist PBS in establishing and meeting its long-term needs for this critical system in support of\nchanging business processes.\n\nSystem Functionality Changes Have Not Been Consistent with a Target Architecture\n\nChanges in functionality required for STAR, including the way PBS computes rent charges,\ncontinue to challenge the system\xe2\x80\x99s development and operations efforts. These changes have also\naffected PBS\xe2\x80\x99 ability to develop and implement a \xe2\x80\x9cto be\xe2\x80\x9d or target enterprise architecture. With\nSTAR, PBS purchased a commercial-off-the-shelf (COTS) package called the Permanent Record\nof Managed Property Transactions (PROMPT) system from AT&T System Leasing Corporation\nas the base for the system. Since 1997, PBS has spent approximately $75 million to implement\n\n\n                                               4\n\x0cand enhance STAR, and current lifecycle costs through fiscal year (FY) 2009 estimate the\nsystem will eventually cost PBS over $150 million. When acquired, PROMPT and other COTS\nproducts considered by PBS did not perform needed billing functions, which led PBS to invest\n$4.8 million to develop new billing functionality for STAR. A subsequent decision to change\nPBS\xe2\x80\x99 billing processes to more closely align with lower private sector costs resulted in additional\nmodifications of STAR to allow for billing based on rentable space rather than from usable\nspace. This change had the unforeseen effect of causing customer rent bills to fluctuate even\nthough the tenant\xe2\x80\x99s space assignments had not changed. Thus, to better meet customer needs,\nPBS has recently decided to develop new billing functionality in the Occupancy Agreement\n(OA) Tool, to replace STAR\xe2\x80\x99s billing capabilities. The resulting duplication in billing system\nfunctionality does not support GSA\xe2\x80\x99s goals for enterprise architecture and IT capital planning\nand investment.\n\nThe 2002 STAR Master Plan addresses the need to review billing policies in STAR to identify\nvalidity, citing fluctuating rent bills as a major complaint, and notes several development\nactivities for improving billing functionality. The Master Plan presents the results of a vision\nand strategy, a technology baseline, a system assessment, and a business case analysis for\nimproving PBS systems that support the need to improve the systems that support the lease\nmanagement, property management, construction and renovation management, business\nmanagement, and customer service management processes. The FY 2006 business case for\nSTAR identifies that Federal agencies rely on the system to hold data regarding building\navailability, space details, and billing information, and that the client billing record (CBR) is one\nof the modules within the system used as a tool for PBS employees. With this change, monthly\nreports will be run to identify whenever STAR updates to its building inventory require changes\nto information within the OA Tool for billing purposes. However, neither the STAR Master Plan\nnor the Business Case includes plans to integrate or otherwise eliminate redundant modules\nwhen PBS moves to bill from the OA Tool. While PBS plans to begin billing from the OA Tool\nin April of 2005, this will require that: (1) occupancy agreements be put in place for a large\nnumber of tenants and (2) data reconciliation be performed between STAR and the OA Tool.\nFor occupancy agreements that are not in place prior to this date, PBS will need to bill customers\nfrom the CBRs that currently reside within STAR. When new occupancy agreements are entered\ninto the OA Tool and finalized, edit checks for STAR will be performed. Using the proposed\nnew billing process, CBRs will remain in STAR to enable management of the building\ninventory. After the transition to the new OA Tool, STAR and the OA Tool could contain\nduplicate data that may require reconciliation. PBS officials advised that they are developing but\nhave not formalized or integrated plans for reducing duplicate processes and data in STAR and\nthe OA Tool. In such a dynamic business environment, it is critical that the development of\nmission-critical systems like STAR be guided by an enterprise architecture that defines business\nstrategy and processes, data needed to manage the business, applications, and technology used to\nprovide the data, while reflecting the impact of ongoing changes in business functions and\nsupporting IT capital planning and investment decisions.\n\nPerformance Goals Are Not Yet Specific to STAR and Have Not Been Consistently Monitored\n\nPBS has taken steps to improve the collection of and reporting on performance measures for\nSTAR despite significant changes to PBS business, system, and organizational processes.\n\n\n\n                                                 5\n\x0cHowever, while STAR had performance goals and measures tied to GSA\'s strategic goals, none\nof the performance goals or measures for STAR are tied specifically to system performance.\nFurther, the STAR Business Case for the FY 2005 budget submission indicated that data had not\nbeen captured and none was reported for the strategic goals of achieving responsible asset\nmanagement and of providing best value for customer agencies and taxpayers. In January 2005,\nsubsequent to our audit fieldwork, PBS updated its FY 2006 business case for STAR by adding\nspecific planned performance improvement goals, actual performance improvement results,\nplanned performance metrics, and actual performance metric results for its FY 2003 and FY\n2004 strategic goals, information previously omitted from the business case. Again, recently\nreported results were not tied to STAR performance. As a result, information is not available to\nassess how well the system is meeting user needs and system requirements.\n\nAccording to the 2002 GSA IT Strategic Plan, GSA\xe2\x80\x99s vision for information technology is to\ndesign, build, and operate a customer-focused, agile, and highly secure set of services and\napplications to enable the agency to deliver what customers want efficiently and effectively.\nRelated strategic goals are intended to provide managers with a yardstick to measure\nachievement in operating their programs more efficiently and effectively. The Government\nPerformance and Results Act (GPRA) of 1993 requires Federal agencies to focus on defining\nmissions, setting goals, measuring performance, and reporting accomplishments to include\ndemonstrated improvements in performance measurement. Performance goals are to be\nobjective, quantifiable, and measurable in order to provide a basis for comparing actual results\nagainst established goals. Additionally, for assets like STAR that are in operation, the Office of\nManagement and Budget (OMB) requires that agencies demonstrate how close actual annual\noperating and maintenance costs are to the original life-cycle cost estimates, and whether the\nlevel or quality of performance and capability meets the performance goals and continues to\nmeet agency and user needs. Not meeting GPRA and OMB requirements for STAR has left PBS\nunable to measure long-term efficiency and effectiveness of this mission critical system.\nSystem-specific performance goals are needed to ensure that STAR system investments meet\nspecified user needs and functional requirements, and PBS needs to routinely monitor\nperformance metric data to ensure that it meets established performance improvement goals.\n\nData Dictionary Is Not Comprehensive Enough to Adequately Describe Information Supporting\nPBS Business Processes\n\nA comprehensive STAR data dictionary accessible across PBS business lines has not yet been\ncompleted and therefore cannot be leveraged across the organization to more effectively use the\nsystem. This condition relates directly to a finding we reported in our March 2000 report, where\nwe identified that PBS had not completed a data mapping of PROMPT and PBS information\nsystems to compare relationship diagrams detailing the different parts of the organization\n(business entities), the relationships between information used by the different business entities,\nand the specific data elements and attributes contained in the information. Further, database\ndocumentation provided for PROMPT at that time was not as complete and thorough as that used\nby PBS, because PROMPT did not capture many of the data elements used by PBS. Currently,\nPBS utilizes the Business Information Solution (BIS) database as an enterprise-wide data\ndictionary. The BIS database is composed of data from four systems, including STAR, and is\nintended to provide a business level understanding of the data, rules, values and distribution of\n\n\n\n                                                6\n\x0cdata contained in the BIS database tables and columns. However, the tables and columns for\nSTAR lack a number of key components needed to more effectively use the system.\n\nBIS tables identify the types of data the table contains and what the data is used for. Specific\ninformation identified for tables includes rules, which define the entity relationship; AKA (Also\nKnown As), which is used to identify the enterprise business standard name or another common\nbusiness name by which this attribute is known; the system physical name, which supplies users\nwith the authoritative source for the data in the column; distributed to, which identifies if data is\ndistributed to another system as well as the name of the system and the physical table and entity\nbusiness name in the receiving system; and the distributed from, which identifies if data is\ndistributed from another system as well as the name of the system and the physical table and\nentity business name of the sending system.\n\nFor the 106 tables within the STAR data dictionary:\n   \xc2\x83 50% do not identify \xe2\x80\x9crules\xe2\x80\x9d for data content;\n   \xc2\x83 75% do not identify other names (\xe2\x80\x9cAKAs\xe2\x80\x9d) used for the table;\n   \xc2\x83 65% do not identify where the data in the table is \xe2\x80\x9cdistributed to;\xe2\x80\x9d and\n   \xc2\x83 97% do not identify where the data in the table is \xe2\x80\x9cdistributed from.\xe2\x80\x9d\n\nColumns are the specific data fields within the tables, as described above, and include similar\ninformation specifically related to each data field.\n\nFor the 1,852 columns within the STAR data dictionary making up the tables:\n   \xc2\x83 93% do not identify the \xe2\x80\x9cvalue\xe2\x80\x9d portion of the data field;\n   \xc2\x83 57% do not identify where the data is \xe2\x80\x9cdistributed to;\xe2\x80\x9d\n   \xc2\x83 98% do not identify where the data is \xe2\x80\x9cdistributed from;\xe2\x80\x9d\n   \xc2\x83 88% do not identify \xe2\x80\x9crules\xe2\x80\x9d for data content; and\n   \xc2\x83 71% do not identify other names (\xe2\x80\x9cAKAs\xe2\x80\x9d) used for the data field.\n\nFurther, the data dictionary for STAR does not specify optional and required data that is\ndependent on other data, nor does it identify the range of values, source, and authorization for\naccess for each of the data elements. For the majority of data elements, the dictionary does not\nindicate which application programs use the data in specific fields. This is especially useful\nwhen trying to determine how STAR uses the data and which elements of STAR data are\nexchanged with subscribing systems3, such as Pegasys, the Occupancy Agreement Tool, and the\nOperational Data Store. The STAR data dictionary also does not group the data elements,\nmaking it difficult to present the information in recognizable units that would facilitate user\nunderstanding of its contents.\n\nIn 2001, a post-implementation analysis4 for STAR completed by Booz\xe2\x8b\x85Allen & Hamilton Inc.\nconcluded that the lack of links to other systems, in addition to a lack of historical data and\ndifficulty accessing data, have resulted in a STAR system that does not efficiently meet user data\naccess needs. Further, the analysis recommended that PBS overcome the inconsistent use of\n\n3\n  Subscribing systems are systems that interface with STAR. Almost all of these interfaces are conducted through\nthe Data Gateway.\n4\n  STAR Post-Implementation Analysis Final Report, dated August 20, 2001.\n\n\n                                                       7\n\x0cterms and data fields that contribute to data inaccuracy for the system. An effective data\ndictionary would accurately and completely define data contained in the database and indicate\nwhich application programs use the data so that, when a data structure is contemplated, a list of\nthe affected programs can be generated. A detailed data dictionary for STAR would also help to\nsimplify database modification, reduce data redundancy, and increase data reliability. In\naddition to the benefits already discussed, improvements with the STAR data dictionary would\nfacilitate information sharing and better enable PBS to more efficiently and effectively promote\nits IT investments.\n\nSystem Risk Must Be Managed with Appropriate Security Controls\n\nWe identified several weaknesses with STAR security controls that could lead to system\nvulnerabilities or unnecessary risks. With our FY 2004 Federal Information Security\nManagement Act (FISMA) review5, which identified specific security weaknesses including\nresults from system vulnerability scans, we previously provided these findings to the Office of\nthe GSA Chief Information Officer6 and PBS management in an effort to provide prompt\nfeedback on security concerns for GSA\xe2\x80\x99s systems. The report, through a detailed analysis of\nSTAR security controls, identified specific risks that need to be addressed. First, National\nAgency Check and Inquiries Credit background checks, as required by the GSA IT Security\npolicy for contractors before being provided access to critical system and data resources, have\nnot yet been completed, leaving the system vulnerable to unauthorized access to or modification\nof system functionality and data resources. Second, audit trails for STAR lack sufficient detail,\nwhich may negatively affect PBS\xe2\x80\x99 ability to efficiently and effectively recover from the cessation\nof normal system operations. Third, sensitive data may not be adequately protected during\ntransmission to and from STAR, raising the potential for this information to be compromised or\nto fall into the hands of unauthorized users. Finally, system security certification and\naccreditation (C&A) documents that we reviewed for STAR did not address all security controls\nas required by GSA-CIO\xe2\x80\x99s IT Security Program.\n\nBackground Checks Have Not Been Completed for Contractors Supporting STAR\n\nContractors working with STAR have not received required background checks before being\nallowed access to the STAR system and its data, as required by the GSA IT Security Policy. The\nPBS contract with the system developer has only recently been modified to require that\nbackground checks be completed. Because employee access to and use of STAR data affects\nGSA\xe2\x80\x99s mission, operations, and efficiency of service, STAR positions have been identified as\nGovernment public trust positions. For this reason, PBS employees and contractors who access\nSTAR must undergo a suitability investigation (background check) and receive public trust\ncertification. If contractor staff is permitted to access the system prior to the completion of\nappropriate background screening, compensating controls to mitigate the associated risk need to\nbe in place. While PBS has requested the required background checks for existing and new\n\n\n5\n  FY 2004 Office of Inspector General Review of GSA\'s Information Technology Security Program, Report\nNumber: A040179/O/T/F04015, September 27, 2004.\n6\n  FY 2004 Office of Inspector General Information Security Review of the System for Tracking and Administering\nReal Property, Report Number: A040179-10/O/T/F05014, January 5, 2005.\n\n\n                                                       8\n\x0ccontractors developing or operating STAR, compensating controls should be established until\nthis process is completed.\n\nAudit Trails Lack Sufficient Detail\n\nIf normal operations of the STAR system ceased, the system\xe2\x80\x99s audit trail documentation may not\nadequately support after the fact investigations, or provide sufficient detail to trace user actions.\nThus, PBS may be unable to efficiently and effectively detect and recover from potential security\nincidents caused by administrative or user errors, irregularities, or security flaws and\nweaknesses. The STAR Security Plan confirms that there are no audit trails for SQL database\nIDs or UNIX operating system IDs and that UNIX only retains owner, date, and time\ninformation for each file. For every STAR database table in which a row can be updated or\ninserted by a batch job, the table stores the batch job name along with the date and time of the\nlast update, but the limited audit logging captured by STAR is not detailed enough to identify the\nchanges made, or easily resolve changes made in error.\n\nWhile a proposal to introduce server management and monitoring improvements for STAR was\nprepared by the PBS Infrastructure Division in May 2003, little progress has been made toward\nthe proposed improvements. PBS noted that modifications to capture and retain all data element\nchanges and to provide historical data to research changes to transactions would be a major and\npotentially costly modification. PBS advised that they were waiting to make a decision about\nhow to better incorporate audit logging within the system until related guidance from the\nNational Institute of Standards and Technology (NIST) is finalized. The GSA "IT Security\nProcedural Guide, Auditing and Monitoring, CIO-IT Security-01-08," dated April 27, 2001,\nstates that auditing and monitoring is an all inclusive security concept that encompasses a wide\nrange of security activities and provides valuable input into security processes such as security\ntest and evaluation, certification and accreditation, and risk assessment. Audit trails must be\nimproved if they are to provide an effective control that offers a snapshot of the state of the\nsystem at any given time to better enable PBS to detect incidents and recover from the cessation\nof normal operations.\n\nTransmission of Sensitive Data May Not Be Adequately Protected\n\nPBS has decided not to encrypt data transmissions from the system that are behind the firewall\nthat protects GSA\xe2\x80\x99s wide area network. However, the STAR Security Plan states that\nunauthorized access to, loss, misuse, or modification of the sensitive data in STAR could be\nexpected to have severe or catastrophic adverse effects on GSA and other agency operations,\nmissions, functions, and assets. According to the Federal Information Processing Standards\nPublication 74, protection of sensitive data during transmission may be necessary to maintain the\nconfidentiality and integrity of the information represented by the data, and encryption of this\nsensitive information within Federal computer networks is needed. The sensitivity level for the\nconfidentiality, availability, and integrity of STAR data is considered high, and PBS has\nrecognized that in the hands of wrongdoers, sensitive STAR data on agency buildings, locations,\nphysical features, and numbers of employees could be used to facilitate hostile acts against the\nUnited States Government, resulting in loss of human life and destruction of Government\nfacilities of grave proportions. The memorandum of agreement between STAR and the Data\n\n\n\n                                                 9\n\x0cGateway identifies that certain security measures are required to protect STAR data both in\nstorage and during transfer. System interfaces are required to meet the level of security\ndescribed in the STAR Security Plan, including coordination of periodic administrative risk\nevaluations; maintenance of continuous operational controls, technical controls, secure data\nhandling practices, and other physical and technical safeguards; and maintenance of trusted\nbehavior. Without encrypting sensitive data as it is passed between STAR and the Data Gateway\nand between the Data Gateway and other GSA systems, STAR data may not be adequately\nprotected since GSA has over 17,600 users with access to the Agency\xe2\x80\x99s wide area network. A\ncareful reassessment of the need to encrypt data transmitted within the GSA network should be\nconsidered to preserve confidentiality and integrity of STAR\xe2\x80\x99s sensitive data.\n\nKey Components of System Security Have Not Been Comprehensively Addressed With\nCertification and Accreditation of Controls\n\nSeveral components of STAR security do not comprehensively address risks as required in GSA-\nCIO\xe2\x80\x99s IT Security Program, even though PBS has completed a risk assessment, security plan,\nand contingency plan, and has identified that security weaknesses for STAR are being\ndocumented and tracked in a system-level Plan of Action and Milestones (POA&M). A\ncertification and accreditation (C&A) was performed for the system on May 9, 2003, and a\nPOA&M has been developed and is being used to help manage risk with the system. PBS\nsecurity officials have also implemented a vulnerability scanning program to identify and\nmitigate system vulnerabilities. However, it is not clear specifically which security controls will\nbe monitored on a periodic basis, and the system Risk Assessment did not include a risk level\nmatrix to prioritize risks, threats, and vulnerabilities for STAR. Additionally, the system\nSecurity Plan did not identify and discuss the full range of operational, managerial, and technical\ncontrols, such as documenting rules and procedures for system interconnections; backup\nprocedures; procedures for verifying that default passwords have been changed; procedures for\nreviewing access control lists to identify and remove users who have left the organization or\nwhose duties are no longer required to access the system; and the laws, regulations, and policies\naffecting STAR in terms of requirements for confidentiality, integrity, and availability. The\nBusiness Continuity Plan has been completed, but it did not include critical contingency planning\nsteps necessary to comprehensively address risks, such as information on the reconstitution\nphase for the plan and established agreements for the alternate site, completion of a business\nimpact analysis, inclusion of detailed information on the alternate site, and identification of\ntesting and maintenance schedules. As a result, STAR and its data may be exposed to undue\nrisks if PBS does not take steps to more comprehensively address potential system threats and\nvulnerabilities. Necessary management and operational controls for the system would be\nstrengthened by a more robust certification and accreditation process.\n\nRecommendations\n\nIn order to strengthen managerial, operational and technical controls for the STAR system, we\nrecommend that the Commissioner, Public Buildings Service, work with the PBS-CIO to ensure\nthat:\n\n1. STAR provides necessary business line management information through:\n\n\n\n                                                10\n\x0c   a. System enhancements, which are consistent with enterprise architecture goals.\n   b. System-specific performance measures for identifying and monitoring progress with\n      meeting established goals and system requirements.\n   c. A complete system data dictionary designed to capture the comprehensive nature of\n      information in STAR and more effectively leverage the system across the organization.\n\n2. Adequate security controls are in place to manage risks with STAR by:\n   a. Completing necessary background checks for contractor staff as required by the GSA IT\n      Security Policy and implementing compensating controls, as necessary, until this process\n      is completed.\n   b. Enhancing the system\xe2\x80\x99s audit trails to provide an effective control for capturing a\n      snapshot of information at any given time to better enable system monitoring and\n      recovery.\n   c. Reassessing the risk of not encrypting the transmission of sensitive STAR data.\n   d. Updating the system risk assessment, security plan, and business continuity plan to more\n      comprehensively address potential system threats and vulnerabilities.\n\nManagement Comments\n\nIn his response to our draft report, the PBS Commissioner provided comments on specific audit\nfindings and recommendations, which are included in their entirety as Appendix A. The\nresponse includes explanations for current STAR configurations and processes and outlines\nactions that are, or will be, taken in response to the audit findings, and generally concurs with the\nrecommendations. Brief segments of the March 31, 2005 response are included here for each\nfinding and recommendation.\n\nRegarding the reported need for careful assessment of STAR functionality in light of business\nprocess changes, PBS advised in part that they; \xe2\x80\x9chave updated the process documentation to\nreflect that the Enterprise Architect will be actively involved at the beginning of requirements\ngathering and will ensure adherence to the Enterprise Architecture throughout the Software\nDevelopment Lifecycle (SDLC).\xe2\x80\x9d Also, PBS \xe2\x80\x9cwill review the current performance measures\nwith the Business Lines, as well as Business Analytics Division and strengthen our system-\nspecific performance measures for identifying and monitoring progress with meeting established\ngoals and system requirements.\xe2\x80\x9d With the data dictionary, they \xe2\x80\x9cwill review listed deficiencies\nand input the missing information as identified in the IG Audit Report.\xe2\x80\x9d\n\nIn response to managing system risk with appropriate security controls, the Commissioner stated\nthat: \xe2\x80\x9cBackground investigation paperwork has been submitted for all STAR developer\ncontractor personnel and OPM has completed action on about 30% of these investigations.\nCurrent status of completion has been communicated with the IG. The STAR SSP, Section 3.1.3\nInterim Access to STAR and Non-Disclosure Agreements details the compensating controls that\nare in place to enable development contractors to access STAR data pending completion of a\nbackground check.\xe2\x80\x9d We note that procedures cited in the commissioner\xe2\x80\x99s response define\nresponsibilities but do not prevent access by untrustworthy individuals or monitor uses of STAR\ndata by individuals. Regarding audit trails, PBS responded that they will: \xe2\x80\x9cseek independent\nverification and impact analysis for implementing audit features based upon a review of STAR\xe2\x80\x99s\n\n\n\n                                                 11\n\x0ccurrent audit trail capability, the IG audit findings, the NIST 800-53, and FIPS 200. A\nsignificant financial investment may be required to bring STAR into full compliance with the\nNIST Guidelines coupled with the audit recommendations. This investment may require\nsoftware enhancements to STAR and the acquisition of additional auditing and monitoring tools\nfor the development and production environments.\xe2\x80\x9d PBS stated that: \xe2\x80\x9cThe PBS CIO Office will\nreassess and make a risk-based decision regarding the use of encryption to protect the\nconfidentiality and integrity of sensitive STAR data that is exchanged behind the GSA firewall.\xe2\x80\x9d\nThe Commissioner also stated that: \xe2\x80\x9cIn future updates to the system security plan, risk\nassessment, and business continuity plan; we will more comprehensively address potential\nsystem threats and vulnerabilities. We will also include a risk level matrix in the STAR Risk\nAssessment to prioritize the risks, threats, and vulnerabilities for STAR; and we will update the\nESC Business Continuity Plan to include the critical contingency planning steps.\xe2\x80\x9d\n\nInternal Controls\n\nAs discussed in the Objectives, Scope, and Methodology section of this report, the objective of\nour review was to assess how well the STAR system is meeting management and user\nrequirements, and the effectiveness of system security controls. Thus, we analyzed the\nsufficiency of STAR systems development, project management, system requirements, and\nsystem controls. The Results of Audit and Recommendations sections of this report state in\ndetail the need to strengthen specific managerial, operational, and technical controls with STAR.\nThe scope of our audit did not include a detailed analysis of the data within STAR or the\naccuracy of that data. Our audit scope also did not include a review of PBS\xe2\x80\x99 contractual\npractices used in procuring STAR or the overall acquisition process.\n\n\n\n\n                                               12\n\x0cIMPROVEMENTS NEEDED IN MANAGEMENT,\n     OPERATIONAL, AND TECHNICAL\n    CONTROLS FOR PBS\xe2\x80\x99 STAR SYSTEM\n   REPORT NUMBER A040159/P/T/R05006\n\n   PBS RESPONSE TO DRAFT REPORT\n\n\n\n\n                A-1\n\x0cAfter reviewing the draft report, the following section contains PBS\xe2\x80\x99 responses to the outlined\nrecommendations. Our comments are organized and summarized in response to the\nRecommendations section of the Executive Summary and are in blue color.\n\n\nRecommendations\n\n\nIn order to strengthen managerial, operational and technical controls for the STAR system, we\nrecommend that the Commissioner, Public Buildings Service, work with the PBS-CIO to ensure\nthat:\n\n1. STAR provides necessary business line management information through:\n\n   a.         System enhancements, which are consistent with enterprise architecture goals.\n\n[In Blue] We believe all STAR enhancements are consistent with Enterprise Architecture goals.\nIn particular, during requirements development for billing from the Occupancy Agreement (OA)\nTool, we have specifically addressed elimination of redundant modules, an EA goal. For\nexample, the current STAR functions include the PBS inventory of all buildings and space, an\ninventory of all leases including space and rental payments and our billing system. To reduce\nthe duplicate data entry we are taking steps to eliminate the redundancy through the dual\nbusiness process redesign and the system. The OA tool enhancements specifically will provide\nfor these improvements as well as increase our data accuracy.\n\nWe also continue to keep our Enterprise Quality Program (EQP) updated. This includes\nupdating the Project Management Plan (PMP), Configuration Management Plan (CMP),\nIndependent Validation and Verification Plan (IV&VP), and the Quality Assurance Plan (QAP).\nWe have updated the process documentation to reflect that the Enterprise Architect will be\nactively involved at the beginning of requirements gathering and will ensure adherence to the\nEnterprise Architecture throughout the Software Development Lifecycle (SDLC).\n\n\n   b.         System-specific performance measures for identifying and monitoring progress\n        with meeting established goals and system requirements.\n\n[In Blue] Currently, the performance measures for STAR are business-specific and have been\nconsistently monitored. As outlined in our 300B report, STAR has very specific strategic goals\nlisted. For FY 2005 and 2006, they include:\n        - Achieve responsible Asset Management\n        - Provide best value for customer agencies and taxpayer\n        - Operate efficiently and effectively.\n\nIn addition, we submit monthly reports on earned value on the project to the Office of the GSA\nCIO. We also track Helpdesk calls and monitor for system changes.\n\n\n\n\n                                             A-2\n\x0cFor the future, for system-specific performance measures, we will measure and track the\nfollowing from the 2005 GSA Information Technology Measures:\n       -      Maintain full Certification and Accreditation (C&A)\n       -      % of system weaknesses completed on time or on schedule\n       -      Rated highly for Business Case by OMB\n       -      Rated highly for Enterprise Architecture by OMB\n\nWe will review the current performance measures with the Business Lines, as well as Business\nAnalytics Division and strengthen our system-specific performance measures for identifying and\nmonitoring progress with meeting established goals and system requirements. We will review\nwith the Business the possibility of adding system availability or system uptime measures.\n\n\n   c.          A complete system data dictionary designed to capture the comprehensive nature\n        of information in STAR and more effectively leverage the system across the\n        organization.\n\n[In Blue] We will review listed deficiencies and input the missing information as identified in the\nIG Audit Report.\n\n\n2. Adequate security controls are in place to manage risks with STAR by:\n\n           a. Completing necessary background checks for contractor staff as required by the\n               GSA IT Security Policy.\n[In Blue] Background investigation paperwork has been submitted for all STAR developer\ncontractor personnel and OPM has completed action on about 30% of these investigations.\nCurrent status of completion has been communicated with the IG. The STAR SSP, Section 3.1.3\nInterim Access to STAR and Non-Disclosure Agreements details the compensating controls that\nare in place to enable development contractors to access STAR data pending completion of a\nbackground check.\n\n\n           b. Enhancing the system\xe2\x80\x99s audit trails to provide an effective control for capturing a\n              snapshot of information at any given time to better enable system monitoring and\n              recovery.\n\n[In Blue] The current Audit Trail sufficiently provides an effective control for capturing a\nsnapshot of information at any given time to better enable system monitoring and recovery. The\nNIST Special Publication 800-53 \xe2\x80\x9cRecommended Security Controls for Federal Systems\xe2\x80\x9d was\npublished in February 2005 and is intended to provide guidance to federal agencies until the\npublication of FIPS 200, \xe2\x80\x9cMinimum Security Controls for Federal Information Systems\xe2\x80\x9d\n(projected for publication December 2005). These minimum security controls once published\nwill be mandatory for all major Federal systems and PBS will comply.\n\n\n\n\n                                               A-3\n\x0cThe focus of the audit recommendation is the organizations \xe2\x80\x9cability to efficiently and effectively\nrecover after cessation of normal activities.\xe2\x80\x9d The ability to recover from the cessation of normal\nactivities is heavily reliant on a system\xe2\x80\x99s back up and recovery procedures. STAR back up and\nrecovery procedures include nightly back ups to the STAR server and to an off site location.\nSTAR is also backed up on a weekly cycle. Currently these back-ups are maintained off site for\na four-week cycle\n\nWe will seek independent verification and impact analysis for implementing audit features based\nupon a review of STAR\xe2\x80\x99s current audit trail capability, the IG audit findings, the NIST 800-53,\nand FIPS 200.\n\nA significant financial investment may be required to bring STAR into full compliance with the\nNIST Guidelines coupled with the audit recommendations. This investment may require\nsoftware enhancements to STAR and the acquisition of additional auditing and monitoring tools\nfor the development and production environments. These tools once acquired must be \xe2\x80\x9ctuned\xe2\x80\x9d to\nmonitor and establish the appropriate alerts. Additionally individuals must be trained to operate\nthe tools and monitoring procedures must be developed. Because of the potential cost in terms\nof software development and requirement to potentially acquire additional monitoring tools for\nthe development and production environments as well as the requirement to train individuals to\nrun these tools multiple analyses are required. These analyses are needed to identify what\ntransactions should be maintained and how long they should be maintained, processing and\nstorage requirements, user interface requirements, and what tool sets and training are required.\nDocumentation will also need to be developed for end users and production personnel.\n\n\n           c. Reassessing the risk of not encrypting the transmission of sensitive STAR data.\n\n[In Blue] PBS has implemented virtual private network (VPN) connectivity to better ensure the\nconfidentiality and integrity of sensitive data transmitted outside the GSA firewall. We disagree\nwith the portion of the finding that focuses on encrypting data that is passed behind the GSA\nfirewall and to include data that is passed between STAR and the Data Gateway. Encryption\nonly protects data in the transmission and storage data states. The GSA Firewall protects data in\nour databases (without encryption) it should be sufficient to protect data that is transferred from\none system to another, as long as the systems are behind the firewall. Additionally, a review of\nChapter 5, paragraph 7 of the GSA IT Security Policy (CIO P 2100.1B, November 5, 2004)\nconfirms that all sensitive but unclassified information that is transmitted outside the GSA\nfirewall shall be encrypted. While STAR contains SBU data, the boundaries for the STAR to\nData Gateway interface are all within the PBS ESC and are all behind the GSA firewall. The\n17,600 users who access GSA\xe2\x80\x99s area wide network do not have access to the data as it is passed\nfrom STAR to the Data Gateway and then on to other systems.\n\nThe STAR batch process occurs at about 10 PM, the online system is locked out to allow for\nbatch processing. The STAR batch process includes the data transfer to the Data Gateway.\nUsers cannot access STAR during the batch process or the Data Gateway interface during this\nprocess. Data Gateway does not have any application users. The exchange that occurs between\nSTAR and the Data Gateway is controlled through the use of a password and access rights. Data\n\n\n\n                                               A-4\n\x0caccessed in the data gateway is read access only and does not compromise the integrity of Star\ndata.\n\nImplementation of encryption based upon the NIST encryption standards may involve significant\ncosts and adversely impact the performance for STAR and each of the downstream systems that\nreceive sensitive STAR data.\n\nThe goal of information security is to deny unauthorized access to information resources in an\neconomically efficient manner. In determining a security strategy for a system or the\norganization, the PBS CIO must determine the correct balance between mitigating appropriate\nrisks and expending resources.\n\nThe PBS CIO Office will reassess and make a risk-based decision regarding the use of\nencryption to protect the confidentiality and integrity of sensitive STAR data that is exchanged\nbehind the GSA firewall.\n\n\n           d. Updating the system security plan, risk assessment, and business continuity plan\n              to more comprehensively address potential system threats and vulnerabilities.\n\n[In Blue] STAR is scheduled for recertification and reaccredidation during FY 2006. A risk\nassessment will be conducted during FY 2006 as part of the recertification and reaccredidation\nprocess. The STAR SSP and Business Continuity Plan will also be updated.\n\nIn future updates to the system security plan, risk assessment, and business continuity plan; we\nwill more comprehensively address potential system threats and vulnerabilities. We will also\ninclude a risk level matrix in the STAR Risk Assessment to prioritize the risks, threats, and\nvulnerabilities for STAR; and we will update the ESC Business Continuity Plan to include the\ncritical contingency planning steps.\n\n\n\n\n                                              A-5\n\x0c                      IMPROVEMENTS NEEDED IN MANAGEMENT,\n                           OPERATIONAL, AND TECHNICAL\n                          CONTROLS FOR PBS\xe2\x80\x99 STAR SYSTEM\n                         REPORT NUMBER A040159/P/T/R05006\n\n                                  REPORT DISTRIBUTION\n\n                                                                     Copies\n\nCommissioner, Public Buildings Service (P)                             3\n\nChief Information Officer, Public Buildings Service (PG)               2\n\nChief Information Officer (I)                                          2\n\nPBS Management Control and Audit Liaison, Office of the PBS Chief\nFinancial Officer (PF)                                                  1\n\nAssistant Inspector General for Auditing (JA and JAO)                  2\n\nDeputy Assistant Inspector General for Real Property Audits (JA-R)      1\n\nAudit Follow-up and Evaluation Branch (BECA)                            1\n\nAudit Planning Staff (JAN)                                              1\n\nAdministration and Data System Staff (JAS)                             1\n\nAssistant Inspector General for Investigations (JI)                     2\n\n\n\n\n                                                B-1\n\x0c'